Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RMI/util.rb: add handling of UnicastRef2 responses #11521

Merged
merged 1 commit into from Mar 7, 2019

Conversation

Projects
None yet
4 participants
@cnotin
Copy link
Contributor

cnotin commented Mar 5, 2019

This PR adds the handling of UnicastRef2 responses in RMI serialized responses.
Before the patch, I've noticed that several MSF modules around RMI failed against a real target, for example:

msf5 auxiliary(gather/java_rmi_registry) > run

[*] a.b.c.d:9999 - Sending RMI Header...
[*] a.b.c.d:9999 - Listing names in the Registry...
[+] a.b.c.d:9999 - 1 names found in the Registry
[-] a.b.c.d:9999 - Failed to lookup REDACTEDService

Or:

msf5 exploit(multi/misc/java_jmx_server) > run

[*] Started reverse TCP handler on 1.2.3.4:4444 
[*] a.b.c.d:9999 - Starting service...
[*] a.b.c.d:9999 - Using URL: http://0.0.0.0:8080/RTyW5o21AFvH
[*] a.b.c.d:9999 - Local IP: http://1.2.3.4:8080/RTyW5o21AFvH
[*] a.b.c.d:9999 - Sending RMI Header...
[*] a.b.c.d:9999 - Discovering the JMXRMI endpoint...
[-] a.b.c.d:9999 - Exploit aborted due to failure: no-target:a.b.c.d:9999 - Failed to discover the JMXRMI endpoint

Whereas nmap's rmi-dumpregistry has no problem dumping it:

PORT     STATE SERVICE
9999/tcp open  java-rmi
| rmi-dumpregistry: 
|   REDACTEDService
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @a.b.c.d:65161
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject

I have searched for the root cause until I landed in lib/msf/core/exploit/java/rmi/util.rb.
The problem is that the service I am testing returns a UnicastRef2 message which is not currently handled by extract_reference and returns nil.

This PR adds the support for parsing this type. It is inspired from nmap's implementation:

If my understanding is correct, the main difference is that UnicastRef2 begins with a "form" byte that shifts the parsing of the rest if it isn't captured. The rest seems to be the same so I use the same code.

Verification

With the patch, the module works and we have the same result as with nmap:

msf5 auxiliary(gather/java_rmi_registry) > run

[*] a.b.c.d:9999 - Sending RMI Header...
[*] a.b.c.d:9999 - Listing names in the Registry...
[+] a.b.c.d:9999 - 1 names found in the Registry
[+] a.b.c.d:9999 - Name REDACTEDService (javax.management.remote.rmi.RMIServerImpl_Stub) found on a.b.c.d:65161

The java_jmx_server exploit works fine too:

msf5 exploit(multi/misc/java_jmx_server) > run

[*] Started reverse TCP handler on 1.2.3.4:4444 
[*] a.b.c.d:9999 - Using URL: http://0.0.0.0:8080/OuI7vK
[*] a.b.c.d:9999 - Local IP: http://1.2.3.4:8080/OuI7vK
[*] a.b.c.d:9999 - Sending RMI Header...
[*] a.b.c.d:9999 - Discovering the JMXRMI endpoint...
[+] a.b.c.d:9999 - JMXRMI endpoint on a.b.c.d:65161
[*] a.b.c.d:9999 - Proceeding with handshake...
[+] a.b.c.d:9999 - Handshake with JMX MBean server on a.b.c.d:65161
[*] a.b.c.d:9999 - Loading payload...
[*] a.b.c.d:9999 - Replied to request for mlet
[*] a.b.c.d:9999 - Replied to request for payload JAR
[*] a.b.c.d:9999 - Executing payload...

If that helps, the target is Tomcat 8 running on Windows.

@bcoles bcoles added the library label Mar 5, 2019

@busterb busterb self-assigned this Mar 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Mar 7, 2019

Looks good to me, thanks @cnotin

@busterb busterb merged commit ecfd52d into rapid7:master Mar 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Mar 7, 2019

msjenkins-r7 added a commit that referenced this pull request Mar 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Mar 7, 2019

Release Notes

This adds the handling of UnicastRef2 responses in RMI serialized responses, allowing modules to exploit a wider variety of targets.

@cnotin cnotin deleted the cnotin:patch-2 branch Mar 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.